login form how to give access only to one device

Question

For learning reason, trying to give login access only for one device so I added new row inside user table in database called ip which stored registered user ip then for example I did something like that

if($user->ip == $myip){ echo 'success'; }

the problem here that ip changing so the form can't let me access or logged in, So my question is there anyway to logged in from only by using one device without using ip ?

Answer 1

Fixing the IP address might not be possible. There are a number of other ways to achieve your goal, ranging from cheap and simple to very complicated and expensive. Here are a couple.

• Use a USB key (such as this one) that enters a strong password on the push of a button.

• Use two way SSL (see question), safe but complicated

• The easiest of these options (and my recommendation) is to set a long living cookie (using a browser developer toolbar or extension) and check in PHP for the existence of the cookie in the $_COOKIE array

Good luck!

Answer 2

You must use a cookie, and if the cookie is set, you must not allow a new login.

The following experts and accepted solutions agree:

how to identify remote machine uniquely in php?' Accepted solution: uniquely identify the computer via cookie

Uniquely identify one computer Accepted solution: set a cookie that must be present on future logins

How to uniquely identify a computer? Accepted solution: the solution discusses Evercookie but the point seems to be you need a cookie

So, in summary, however you identify this user, if the user has a cookie, let them in. If they don't, I don't know what you're going to do, but maybe that's part of what you are mysteriously trying to learn here.

Answer 3

Not the best solution:

Public IP's are dynamic, meaning when a router is restarted - they obtain a new IP address. Yes, you could never restart the router but you cannot protected against physical things like electricity meaning check-ups, power outs, etc..

The best idea here is to make this Software un-accessible from outside the node you want to be able to interact with. Meaning, use Apache and MySQL (like XAMPP) and run it only on that node.

If you're looking for a long-term solutions to be able to add IP's, used a shared network. Or implement security conventions like Authentication (login).

However, if you want to consist in building it from your point of view: use the $_SERVER super variable to access the current IP and you'd need to know it before they visit (so find it out by going to something like what is my ip.

if($_SERVER['SERVER_ADDR'] == $somePreknownIp) {
    // authorised
}

Answer 4

I would recommend using a cookie instead. First add the following code:

 If ($user -> me) {
setcookie("HeyItsMe", 'SomeReallyHardToGuessValue', time()+3600*24*365);  /* this would expire in 1 year */
}

This will set the cookie for just you since you're logged in. Then, you can get rid of the the code and add the following in your login screen:

 if (isset($_COOKIE['HeyItsMe']) && $_COOKIE['HeyItsMe']== 'SomeReallyHardToGuessValue') { 
/**show them  the login screen **/
} else {
  exit;
}

Answer 5

If your have dynamic IP then you can not do it using IP address. Therefor I suggest you to use sessions.

To do that you have to create another PHP file in your root folder(project folder). And do not share that file name with others. (I named that file as loginHandler.php)

loginHandler.php file has following content.

<?php
session_start(); 
// assign value to loginHandler.
$_SESSION['loginHandler'] = "99";
// redirect to login page
header('Location: login.php');
?>

On your login page (login.php), you have to start session top of the page. And if $_SESSION['loginHandler'] set, Then it will display your login form. Otherwise it will display only rest of the content.

<?php session_start(); ?>
<p>Page Content</p>

<?php if(isset($_SESSION['loginHandler'])): ?>
    <div id="loginBlock">
        <form method="post" action="">
            <p>Your Login Form</p>
        </form>
    </div>
<?php endif ?>

<p>Page Content</p>

If you want to login. Then first you have to access loginHandler.php file. Then you will be redirected to login.php page. And you can access login form.

But others do not know about loginHandler.php, Therefor they try to access login form directly. Then that login form will not display for them.

Answer 6

Edit:

Upon re-reading the question I see that I've misunderstood what the OP was really asking for. Leaving my original reply underneath, in case someone else finds it useful.

The proper answer to this questions is: Why care about who gets to see the login form? Just use a properly strong password, and the correct techniques for preventing brute-force attempts (throttle limiting).

Any secret key, or similar, you add to this script is just another password after all. Any other information derived from your connection, browser or whatever, can be sniffed and spoofed by an attacker (or even changed from underneath you, for any reason).

Limiting to a single (or range of) IP(s) is only really useful if you have a static IP, and want to make it a bit more difficult for any potential hacker to break your password.
It is not a replacement for a good password.

---

Original answer:

This is actually a rather common problem, and solved quite a few times. While it takes a bit of work to implement the solution, it is quite straight forward.

First off you need to create a table to keep track of the sessions for each user. This table needs only two (or three) fields:

• user id
• session id
• (timestamp)

The timestamp can be omitted as it's not essential, but it might be nice to have for debugging/logging purposes.

Once you have that you need to re-write your login script a bit. So that it first checks if the user has any active sessions already, if they don't then simply create a new session and store its ID in the abovementioned table.
However, if the user does have a session active already, then you need to do one of two things:

• If you want to disallow any further logins, simply return an error explaining that they are already logged in.
• Or, delete the old sessions and then log them in on the new device.

Of these two approaches I'd prefer the latter one, as the first one can lead to a user accidentally locking himself out of the system. Until you, as the administrator, go in and manually delete the old session.
The second approach will require a bit more work, in order to delete/invalidate the old sessions, but is generally more robust. It will also give the users the least amount of surprise, as they expect to be logged in when attempting to do so. Instead of having to go chase down whatever unit they think they logged in with last.

Another thing you could do, if you decide on approach 1, is to log the timestamp and then use this in conjunction with the max session lifetime. If time_now - max_session_lifetime > timestamp then you know the session is old, and can be deleted automatically. Ensuring that the user will, eventually, be able to log in without having to rely upon finding/getting the old unit, or you manually deleting it.

I won't post any code on this, for two reasons:

1. You haven't posted the code in which you handle the logins, making it impossible for me to suggest any specific changes.
2. The changes needs to be done in quite a few places, and requires a redesign of your logic.

However, follow my logic and set up a pseudo code/flowchart diagram and it should be quite easy to implement.

Answer 7

one thing goes into my mind. If you know his phone number, send him SMS with token to log in. Of course there is technical issue about sending SMS message, that i'm as newbie are unable to solve...

Answer 8

You can use Mobile-Detect php library and get the device information of particular device and can add device details in db then you can put a check for that particular device.

Official documentation for library is here - Mobile-Detect

And for usage go here - Usage example

There is one for Client side also - mobile-detect.js

Hope this will help you some way (y).

Answer 9

You can combine 2 approaches into one. You have a list with 3 IP-addresses. For example:

$whitelist = [
    '192.168.1.2', 
    '192.168.1.3', 
    '192.168.1.4',
];

Then you should check address or cookie:

$accessCode = 'Xvj482Sfjfi2Ghj23PoqT'; //some random string
$cookieExpireValue = time() + 3600 * 24 * 365 * 3; //3 years

$isIpValid = ($_SERVER['REMOTE_ADDR'] && in_array($_SERVER['REMOTE_ADDR'], $whitelist, true));
$isCookieSet = (isset($_COOKIES['access_code']) && $_COOKIES['access_code'] === $accessCode);

if ($isIpValid || $isCookieSet) {
    setcookie("access_code", $accessCode, $cookieExpireValue);
    echo 'success';
}

Pros:

• It restricts access
• If IP-address changes, user has access for 3 years
• You can change $accessCode and $whitelsit to block users which already got access
• It simple

Cons:

• If some user gets whitelisted IP, he will get access
• If a user loses the cookie (OS reinstall, browser clean, etc) with new IP-address, he will lost access (just change the $whitelist)

In case, you have different user's records for every device and you restrict access after form's submitting, you can save a new IP-address for that user if the user has a valid cookie:

if ($isIpValid || $isCookieSet) {
    setcookie("access_code", $accessCode, $cookieExpireValue);
    $user->ip = $_SERVER['REMOTE_ADDR'];
    $user->save();
    echo 'success';
}

and change the validation:

$isIpValid = ($_SERVER['REMOTE_ADDR'] && (in_array($_SERVER['REMOTE_ADDR'], $whitelist, true) || $user->ip === $_SERVER['REMOTE_ADDR']));

In this case you can get rid of the whitelist of addresses, just set ip for every whitelisted user.